Day zero user access to enterprise resources

ABSTRACT

Disclosed are various approaches for providing touchless visitor management. A visitor can complete a visitor registration process using a client device of the visitor and obtain a virtual badge credential to a visitor&#39;s device. A physical access control system credential as well as a visitor badge can also be obtained to the visitor&#39;s device.

RELATED APPLICATION

Benefit is claimed under 35 U.S.C. 119(a)-(d) to Foreign Application Serial No. 202141031667 filed in India entitled “DAY ZERO USER ACCESS TO ENTERPRISE RESOURCES”, on Jul. 14, 2021, by VMware, Inc., which is herein incorporated in its entirety by reference for all purposes.

BACKGROUND

Enterprises can be fast growing organizations that add employees and contract workers at a rapid pace. With each new employee or contract worker, a new user account is often required within enterprise information technology systems. Each new user account can be associated with one or more other accounts in third party systems or applications. The user account might require setup with a single sign-on (SSO) platform, or an identity manager. The user account can also require a new record within a directory service such as Active Directory. Information technology staff of the enterprise can also require provisioning a company issued computer, mobile device, or other devices. As the complexity of technology in enterprises advances, there are be an increasing number of tasks required by information technology (IT) staff to set up a new employee or contract worker with the appropriate resources or applications within the enterprise.

Additionally, as transactions are increasingly touchless, users might desire touchless solutions for setting up their user accounts within the enterprise. In a legacy environment, when a new employee is being onboarded, they might be provided a temporary password for their user account on a label or sheet of paper. Then the user is required to change their password after an initial login to their user account. Additionally, the IT administrator may have to manually setup various user accounts for the user with various services utilized by the enterprise. Accordingly, day zero tasks for new employees or contract workers can be a highly inefficient and time-consuming process, costing enterprise time and resources.

BRIEF DESCRIPTION OF THE DRAWINGS

Many aspects of the present disclosure can be better understood with reference to the following drawings. The components in the drawings are not necessarily to scale, with emphasis instead being placed upon clearly illustrating the principles of the disclosure. Moreover, in the drawings, like reference numerals designate corresponding parts throughout the several views.

FIG. 1 is a schematic block diagram depicting an example implementation according to various examples of the disclosure.

FIG. 2 is an example of the visitor application executed by a client device according to examples of the disclosure.

FIG. 3 is an example of the visitor application executed by a client device according to examples of the disclosure.

FIG. 4 is an example of the visitor application executed by a client device according to examples of the disclosure.

FIG. 5 is a flowchart that illustrates functionality according to examples of the disclosure.

FIG. 6 is a flowchart that illustrates functionality according to examples of the disclosure.

DETAILED DESCRIPTION

Disclosed are examples of a system that facilitates day zero access to enterprise resources for employees and workers who are being onboarded. In some environments, when a new employee or worker is being onboarded, a user account within a directory service and/or identity manager is created. When the user account is created, a record within the directory service is created. The user account often requires an initial password to be generated or defined by an information technology (IT) administrator. A username and the initial password are often provided to a new user via an email to the user's personal email account or provided on paper.

Providing an initial password to the user in this way can result in a security hole. In one aspect, if the initial password is provided to the user's personal email account, the password is provided to an email service over which the enterprise has no control. In another aspect, the initial password being simply written down or printed for the user creates a risk that someone other than the user has access to the password. Additionally, providing the password on paper means that the experience is not a touchless experience, which might be desirable to the enterprise.

A user in an enterprise might also require access to various other applications and services provided by the enterprise, some of which can be third party services. Accordingly, an IT administrator might be required to provision the user for access to these applications for the user. These applications might require an initial setup or an authentication token from an identity manager utilized by the enterprise to provide access to a user of the enterprise.

Examples of this disclosure can allow a user to utilize a one-time use link, or a “magic link,” that allows the user to access a portal in which he or she can create a password, initialize multi-factor authentication, and/or register with an identity provider utilized by the enterprise. The portal accessible using the link can also allow the user to initialize or provision applications or services utilized by the enterprise. In some cases, the link can allow the user enroll a client device with an enterprise mobility management (EMM) platform utilized by the enterprise.

FIG. 1 illustrates an example of a networked environment 100 according to examples of the disclosure. In the depicted network environment 100, a computing environment 103 is in communication with at least one client device 106 and a human resources system 105 over a network 119.

The network 119 includes the Internet, intranets, extranets, wide area networks (WANs), local area networks (LANs), wired networks, wireless networks, other suitable networks, or any combination of two or more such networks. The networks can include satellite networks, cable networks, Ethernet networks, and other types of networks.

The computing environment 103 and human resources system 105 can be a computing environment that is operated by an enterprise, such as a business or other organization. The computing environment 103 and human resources system 105 include a computing device, such as a server computer, that provides computing capabilities. Alternatively, the computing environment 103 and human resources system 105 can employ multiple computing devices that are arranged in one or more server banks or computer banks. In one example, the computing devices can be located in a single installation. In another example, the computing devices for the computing environment 103 and human resources system 105 can be distributed among multiple different geographical locations. In one case, the computing environment 103 and human resources system 105 include multiple computing devices that together can form a hosted computing resource or a grid computing resource. Additionally, the computing environment 103 and 105//can operate as an elastic computing resource where the allotted capacity of computing-related resources, such as processing resources, network resources, and storage resources, can vary over time. In other examples, the computing environment 103 and 105//can include or be operated as one or more virtualized computer instances that can be executed to perform the functionality that is described herein.

Various applications or other functionality can be executed in the computing environment 103. Also, various data can be stored in a data store 112 that can be accessible to the computing environment 103. The data store 112 can be representative of a plurality of data stores 112. The data stored in the data store 112 can be associated with the operation of the various applications or functional entities described below.

The components executed on the computing environment 103 can include a management service 116, a day zero service 120, an identity manager 121, a directory service 122, and other applications, services, processes, systems, engines, or functionality not discussed in detail herein.

In some implementations or in certain cases, devices associated with users in a corporate environment can be managed devices that are enrolled with a management service 116. The management service 116 can be executed by the computing environment 103 in an on-premises implementation or in another computing environment that is separate from the computing environment 103. The management service 116 can also be provided with access to information about users, physical resources, physical access credentials.

The management service 116 can monitor and oversee the operation of one or more client devices 106 by administrators. In some examples, the management service 116 can represent one or more processes or applications executed by an enterprise mobility management (EMM) provider that facilitates administration of client devices 106 of an enterprise that are enrolled with the EMM provider. To this end, the operating system and application ecosystem associated with the client device 106 can provide various APIs and services that allow client devices 106 to be enrolled as managed devices with the management service 116. The management service 116 can also initiate installation of configuration profiles that can be accessed by certain applications installed on a client device 106. In the context of this disclosure, and client device 106 associated with a user need not be enrolled as a managed device. Examples of the disclosure can facilitate enrollment of a client device 106 with a management service 116 utilized by the enterprise by way of the one-time use link.

The data stored in the data store 112 can include user data 132. User data 132 can include, for example, application data 134, device data 136, identity manager data 138, or IDM data 138, one-time link 140, and potentially other information to support the execution of the management service 116, day zero service 120. The data store 112 can include device records 131 and visitor user data 133. The data store 112 can also include various objects and data structures that are associated with an enterprise directory of user accounts and devices. Objects within the data store 112 can be organized into data structures, such as forests, trees, domains, organizational units, groups, partitions, or other organizational structures depending upon a directory service that might be utilized by the enterprise. Additionally, the directory can be replicated across more than one data store 112 for redundancy purposes. The inner-workings and specific structure of the directory are not shown or discussed herein, as they are not necessary for an understanding of examples of this disclosure. Additionally, the directory of users and devices might be separate from user data that is maintained or utilized by the management service 116, day zero service 120, identity manager 121, or directory service 122. However, the exact configuration of user data and device data is not necessary for a full understanding of examples of the disclosure.

Application data 134 can include information about applications utilized by the enterprise to which the user is provided access. Applications can be provided as a third party service. Accordingly, application data 134 can include authentication tokens, credentials, or entitlements, or other data associated with applications that are provided to a user by the enterprise. The application data 134 can also identify the applications that are provided by the enterprise to which the user is provided access.

Device data 136 can include information about a client device associated with a user. When a user registers with an enterprise, or is hired by the enterprise as an employee or worker, the day zero service 120 can generate a one-time link 140 corresponding to the user. The one-time link 140 can be provided to the user and direct the user to a portal provided by the day zero service 120 or the identity manager 121 that can allow the user to generate user account credentials, setup a secondary authentication factor, setup applications utilized by the enterprise, and perform user tasks associated with setting up user accounts within the enterprise. Additionally, the one-time link 140 can allow the user to enroll a client device 106 with a management service 116. Accordingly, device data 136 can include information about a device that is enrolled as a managed device with the management service 116. For example, the device data 136 can include information about the operating system, device type, device capabilities, and other data about a client device 106 that is being used by the visitor to register as a visitor.

Identity manager data 138 can include data about a user that is utilized in conjunction with the identity manager 121. The identity manager data 138 can include a username, password, and potentially other authentication factors that are utilized by the user to access the identity manager 121 and/or other services provided by the enterprise. In one example, a directory service 122 can federate user authentication to the identity manager 121. Additionally, other services utilized by the enterprise can also federate authentication to the identity manager 121. Accordingly, the identity manager 121 can store authentication tokens and other data that facilitates access to third party services for which authentication is federated or delegated to the identity manager 121.

A one-time link 140 can represent a link to a portal, such as a web page or series of web pages, at which a user can define a password within the directory service 122 or identity manager 121, define secondary authentication credentials, select one or more applications to be accessed by the user, enroll a client device 106 with the management service 116, and perform other tasks to setup one or more user accounts associated with the enterprise. The portal can be provided by the day zero service 120, and the one-time link 140 can also be generated by the day zero service 120 and stored in the data store 112 in association with a user account.

The directory service 122 can represent an enterprise user directory such as Active Directory. The directory service 122 can authenticate and authorize users of Windows devices in a Windows domain type network. The directory service 122, in conjunction with the operating system of a client device 106 that is joined to the domain, can assign and enforce security and other usage policies on client devices 106. The directory service 122 can also facilitate management of data and peripherals that are also used and deployed within an enterprise computing environment.

The directory service 122 and operating system of a client device 106 can allow the deployment of group policy rules, or group policies, to client devices 106. The group policy rules can allow for control of certain aspects of a client device 106, such as VPN policies, whether a client device 106 should encrypt its mass storage resources, whether a non-administrator user has access to certain operating system settings, LAN settings, password policies, which applications are installed on the client device, whether the use can install certain applications on the client device 106, and other policies that can control, restrict, or enable certain features of the operating system of a client device 106. The directory service 122 can also be utilized to authenticate a user's access to resources within the enterprise or that are external to the enterprise if the directory service 122 operates as or in conjunction with a single sign-on (SSO) portal, such as the identity manager 121.

The identity manager 121 can represent an SSO portal that can facilitate authentication of users of the enterprise. The directory service 122 can federate authentication to the identity manager 121 in some examples. The directory service 122 can also perform its own authentication. The identity manager 121 can also authenticate user access to other applications, such as source code repositories, messaging applications, productivity applications, cloud services, and other applications that can be provided by the enterprise to users but that may be hosted by third parties.

The day zero service 120 represents a service that can orchestrate day zero activities on behalf of the enterprise for a user. The day zero service 120 can communicate with a human resources system 105 to detect a new employee or new contract worker. The human resources system 105 can be a third-party system that facilitates hiring and other human resources tasks. The human resources system 105 can represent a cloud-based financial management and human resources management system that is utilized by the enterprise to management human resource functions.

The day zero service 120 can utilize an API 141 provided by the human resources system 105 to detect when a new employee record or a new user record is added, which indicates that a new employee or worker has been hired. Upon detecting a new user record in the human resources system 105, the day zero service 120 can generate a one-time link 140 that can facilitate onboarding of the user on their first day, or on day zero. The human resources system 105 can be operated by a third party as a network-accessible service via the API 141. The API 141 can permit the enterprise to make programmatic calls to access employee data in the human resources system 105, such as detecting when a new employee record is added after the employee or worker is hired. The API 141 can also permit the day zero service 120 to access employee data, such as organization, role, position, name, demographic information, and other data about the employee.

The day zero service 120 can create a record corresponding to a new employee with directory service 122 utilized by the enterprise upon detecting the new employee in the human resources system 105. The new record within the directory service can be assigned to a user group within the directory service 122 that is designated for newly hired users. These users can be assigned a temporary password by the directory service 122 or no password directory service 122. In the case of no password being assigned to the user, the user can be prompted to create a password the first time the user accesses his or her user account.

The day zero service 120 can also create a user account for the user identified in the human resources system 105 within the identity manager 121. The enterprise can utilize an identity manager 121 to federate user authentication from the directory service 122 and for other applications and third-party services that are provided by the enterprise to its users. In this scenario, the user's authentication credentials can be held by the identity manager 121. Accordingly, the day zero service 120 can cause the identity manager 121 to generate a temporary password or prompt to create a password the first time the user accesses his or her user account within the identity manager 121.

The human resources system 105 represents one or more computing devices operated by or on behalf of a third-party human resources application. The human resources system 105 can provide an API 141 that can be accessed by other applications associated with the enterprise, such as the day zero service 120. As noted above, the human resources system 105 can provide various features utilized by the enterprise for human resources

The client device 106 can represent a computing device or mobile device associated with a visitor. The client device 106 includes, for example, a processor-based computer system. According to various examples, a client device 106 can be in the form of a desktop computer, a laptop computer, a personal digital assistant, a mobile phone, a smartphone, or a tablet computer system.

In one implementation, the client device 106 can execute an operating system 146. The operating system 146 can represent a mobile or desktop operating system such as iOS™, Android, Windows™ or other computing environments. The operating system 146 can allow the client device 106 to be enrolled as a managed device with the management service 116. In some examples, a management client or a management component can also be installed on the client device 106 that facilitates management of the client device 106. The operating system 146 can provide one or more APIs that facilitate management of the client device 106. The management client or management component can be installed with elevated or administrative privileges and enforce compliance rules that are specified by the management service 116. Additionally, the management component or management client can install profiles, certificates, applications, and carry out other management tasks on the client device 106 on behalf of the management service 116.

The client device 106 can run client applications 150 that are installed on the client device 106. Client applications 150 can be utilized to access third party services. The one or more other client applications 150 can be provisioned by the management service 116 or installed by the user. In one scenario, the day zero service 120 can provide a portal through which a user can enroll his or her device as a managed device with the management service 116. The portal can also allow the user to select client applications 150 that are installed on the client device 106. Upon selecting client applications 150 using the portal, the management service 116 can cause the selected client applications 150 to be installed on the client device 106 that has been enrolled as a managed device with the management service 116. Additionally, the day zero service 120 can cause the identity manager 121 to generate an authentication token on behalf of the user for the selected client applications 150 if there is a corresponding authentication credential that is required to use the client applications 150.

In some instances, an application that is only a web-accessible application can be selected or provisioned by the user through the portal. For the web-accessible applications, the day zero service 120 can cause the identity manager 121 to generate an authentication token on behalf of the user for the selected web-accessible applications if there is a corresponding authentication credential that is required to use the web-accessible application.

Referring next to FIG. 2 , shown is an example of a client device 106 and a one-time link 140 that can be provided to a user by the day zero service 120. When an employee record or user record is added to the human resources system 105, indicating that a new employee or user is being hired by the enterprise, the day zero service 120 can detect the new employee or user using the API 141 provided by the human resources system 105. In response to detecting the new employee or user, the day zero service 120 can generate a one-time link 140 and assign the one-time link 140 the new employee or user.

The one-time link 140 can be provided to the user by the day zero service 120. The one-time link 140 can be emailed or otherwise messaged to a client device 106 associated with the user. The one-time link 140 can point to a portal provided by the day zero service 120 through which the user can complete setup of a user account within the enterprise. The portal can allow the user to complete setup of the user account, select or install applications provided by the enterprise, setup additional or secondary authentication factors, and perform other tasks that might be needed or required for the user to complete setup of the user account. For example, the portal can include a link to human resources tools that allow an employee to enroll in employee benefits, time-tracking, or other resources and tools that can be provided by the enterprise.

As shown in the example of FIG. 2 , the one-time link 140 generated for the user can be emailed to an email address associated with the user that is different from the user's corporate email address. The email address can be stored in the human resources system 105 and associated with the employee's pre-hiring record within the human resources system 105. The one-time link 140 can also be sent to the user's client device 106 via text messaging or another messaging channel that is available to the day zero service 120 or the human resources system 105.

The one-time link 140 can be stored in the data store 112 and associated with a user record created within the directory service 122. The day zero service 120 can cause a new user record to be created within the directory service 122 upon detecting that a new employee or worker has been hired. The day zero service 120 can also expire the one-time link 140 upon detecting that the one-time link 140 has been used. In this way, the security of the employee onboarding process can be improved because the portal provided by the day zero service 120 at the one-time link 140 can require the user to create an authentication credential. Accordingly, the user's credential is not known to the administrator because the one-time link 140 does not include the password of the user.

Additionally, the one-time link 140 can include a security token or a security string that can be signed by the day zero service 120, which limits the ability of a malicious actor from generating a valid one-time link 140 that can be utilized to access a portal provided by the day zero service 120 to perform zero day activities. For example, the day zero service 120 can generate a one-time link 140 that includes a unique identifier as a URL query string. The unique identifier can be signed or encrypted using an encryption algorithm. When accessed, the day zero service 120 can validate the one-time link 140 accessed by a client device 106 to validate that the one-time link 140 that is being accessed is valid. Only after validating the link, the day zero service 120 can provide a portal corresponding to a user associated with the one-time link 140. If the one-time link 140 cannot be validated by the day zero service 120, the day zero service 120 can return an error page to the client device 106 that is attempting to access the invalid link.

Referring next to FIG. 3 , shown is an example portal that can be provided by the day zero service 120 when a user accesses a one-time link 140 that is provided to the user. Again, the one-time link 140 can be provided to the user to a client device 106, and the user can access the one-time link 140 to perform user account setup tasks, application selection and setup, and other first day activities. The portal provided by the day zero service 120 can comprise a series of pages or a workflow that allow the user to perform various tasks.

For example, the user can setup a password for a user account in the directory service 122 or the identity manager 121. The user can also setup a secondary authentication factor for a user account. In some cases, the directory service 122 can federate user authentication to an identity manager 121 that provides single sign-on (SSO) capabilities to users of the enterprise or that have accounts in the directory service 122. In addition to setting up a password, the portal can also allow the user to setup a secondary authentication factor associated with a user account in the identity manager 121 or the directory service 122

Referring next to FIG. 4 , shown is an example portal that can be provided by the day zero service 120 when a user accesses a one-time link 140 that is provided to the user. Again, the one-time link 140 can be provided to the user to a client device 106, and the user can access the one-time link 140 to perform user account setup tasks, application selection and setup, and other first day activities. The portal provided by the day zero service 120 can comprise a series of pages or a workflow that allow the user to perform various tasks.

In the example of FIG. 4 , the portal can allow the user to select applications for provisioning, setup, or installation on his or her client device 106. In some examples, authentication can be provided for a particular application by the identity manager 121. Accordingly, when a user selects an application, the portal can direct the client device 106 to a site corresponding to the application, which can in turn redirect the client device 106 to the identity manager 121 so that the user can authenticate his or her credentials and obtain an authentication token for the application.

In some examples, upon selecting an application, the portal can redirect the client device 106 to a site or application through which the user install a client applications 150 on the client device 106. For example, the portal can redirect the client device 106 to an application or a listing in an application through which the user can install the selected client applications 150 on the client device 106. As another example, the portal can instruct the management service 116 to install the client applications 150 on the client device 106.

In some examples, the portal can provide a link or workflow that causes a client device 106 of the user to be enrolled as a managed device with the management service 116. In one scenario, a link can cause a management profile to be downloaded to a client device 106 of the user. The client device 106 can be the user's device or a device that is issued by the enterprise to the user. The management profile can cause the operating system of the client device 106 to enroll the client device 106 as a managed device with the management service 116.

Referring to FIG. 5 , shown is a flowchart that provides one example of how the day zero service 120 can facilitate day zero tasks for a user. The.

First, at step 501, the day zero service 120 can provide a visitor registration form to a client device 106 of a visitor. The visitor registration form can be provided by transmitting a URI to the client device 106. The URI can be provided to the client device 106 by embedding the URI into a QR code that is displayed in a visitor lobby. The URI can also be provided via an RFID or NFC tag that is provided in the visitor lobby, and the visitor is prompted to tap the RFID tag or NFC tag to begin the visitor registration process. The URI can cause the client device 106 to open the visitor registration form in a browser application on the client device 106. The visitor registration form can be customized by a representative of the enterprise to provide the

At step 503, the day zero service 120 can obtain information entered into the visitor registration form from the client device 106. The information can include the visitor's name, email address, an identity of a host that is hosting the visitor, a photo of the visitor, a photo or scan of the visitor's identification, business card, or other information that can be requested from the visitor Again, as noted above, the visitor registration form can also include responses to questions or a survey that the enterprise can request or require from the visitor. The questions can include a health or security questionnaire that must be correctly answered before the visitor is granted entry into the facility. In one example, the day zero service 120 can be configured to automatically deny access to the visitor if the visitor answers a particular question in a way that determines the visitor is not entitled access to the facility. For example, if the visitor responds that he or she has an illness that disqualifies the visitor from entering the facility, the day zero service 120 can deny the request to allow the visitor access to the facility without additional intervention by a host or lobby attendant.

At step 505, upon completion of the visitor registration form and after receiving the visitor registration data from the visitor registration form, the day zero service 120 can determine whether the visitor has been pre-approved or pre-registered as a visitor by a host. The day zero service 120 can make this determination by checking the visitor user data 124 to determine whether an indication that a visitor with a name, email address, phone number, visit date, and/or other identifying information is associated with a visitor record that is also indicated as pre-approved. If the visitor is pre-approved, the process can proceed to step 511. If the visitor is not indicated as pre-approved, the process can proceed to step 507.

At step 507, the day zero service 120 can generate a notification that is sent to a host identified in the visitor registration data submitted in the visitor registration form. The notification can be sent to a client device of a host, such as in an enterprise application in which enterprise notifications, data, and other information is presented. The notification can also be sent by email or a messaging service. The notification can include information presented in the visitor information form, such as the name, email address, and other identifying information about the user. The notification can also request that the host authorize the visitor. The notification can also request that the host approve or deny the visitor request.

At step 509, the day zero service 120 can determine whether the host has approved the visitor request in response to the notification. If the host has denied the request, the process can proceed to completion. In some embodiments, the day zero service 120 can notify the visitor through the client device 106 that their request has been denied. In some examples, if the request times out, the request can be denied after a timeout period and a notification sent to the visitor client device 106.

If the day zero service 120 receives approval of the request from a host, the process can proceed to step 511. At step 511, the day zero service 120 can generate or obtain one or more of a virtual visitor badge, a PACS credential for accessing one or more access control reader 108 in the facility, and a network credential for accessing an enterprise network or guest network associated with the facility. In some examples, the PACS credential and visitor badge can be combined into a single virtual badge that can be accessed by the visitor application 148 on the client device 106.

The visitor badge can include an identifier with which the visitor can be identified if challenged by personnel or by a badge reader. The identifier can include one or more of the visitor's name, email address, photo, an alphanumeric identifier, a barcode, a QR code, dates of the visit, or other text with which the visitor can be identified. The visitor badge can be viewable as a standalone document or image or viewable only through a special purpose app, such as the visitor application 148.

The PACS credential can be obtained from the physical access control server 123 or the 105//through a vendor API with which PACS credentials can be generated. The PACS credential can be provided to the visitor application 148 or a special purpose application on the client device 106 that can present the PACS credential to one or more access control reader 108 on behalf of the visitor.

The network credential can be a network profile or WiFi profile that can be installed onto the client device 106 and provide access to an enterprise or enterprise guest network. The network credential can also be provided in text form, such as the name of the network and/or the network password. If provided as an installable profile, the visitor application 148 or the operating system 146 of the client device 106 can install the profile onto the client device 106 so that the visitor can utilize a network of the enterprise during his or her visit. In some implementations, the credentials issued to the client device 106 can expire after an expiration time period or at the end of the visitor's visit.

At step 513, the visitor badge, PACS credentials, and/or network credential can be associated with an expiring link, or a one-time-use link. The expiring link can be associated with the visitor in the visitor user data 124. The expiring link can expire after it is accessed by the visitor using his or her client device 106. The expiring link can comprise a URI that points to a resource that includes the downloadable visitor badge, PACS credential, and/or network credential. The URI can comprise a deep link that causes the visitor application 148 to be launched on the client device 106 and for the visitor application 148 to access the resource. The resource can be encoded such that it can be opened only by the visitor application 148. The URI can also cause the operating system 146 of the client device 106 to redirect the user of the client device 106 to an application marketplace to install the visitor application 148 if the visitor application 148 is not installed on the client device 106.

The expiring link can also point to a page that can be opened in a browser of the client device 106 that provides additional links to a downloadable visitor badge, PACS credential and/or network credential.

At step 515, the expiring link can be sent to the visitor's client device 106. The link can be sent to the client device 106 in an email, messaging notification, or presented in a browser page in response to submission of the visitor registration form. Thereafter, the process can proceed to completion.

The flowchart of FIG. 5 shows examples of the functionality and operation herein can be embodied in hardware, software, or a combination of hardware and software. If embodied in software, each element can represent a module of code or a portion of code that includes program instructions to implement the specified logical function(s). The program instructions can be embodied in the form of source code that includes human-readable statements written in a programming language or machine code that includes machine instructions recognizable by a suitable execution system, such as a processor in a computer system or other system. If embodied in hardware, each element can represent a circuit or a number of interconnected circuits that implement the specified logical function(s).

Although the flowchart of FIG. 5 shows a specific order of execution, it is understood that the order of execution can differ from that which is shown. The order of execution of two or more elements can be switched relative to the order shown. Also, two or more elements shown in succession can be executed concurrently or with partial concurrence. Further, in some examples, one or more of the elements shown in the flowcharts can be skipped or omitted. In addition, any number of counters, state variables, warning semaphores, or messages could be added to the logical flow described herein, for purposes of enhanced utility, accounting, performance measurement, or troubleshooting aid. It is understood that all such variations are within the scope of the present disclosure.

The client device 106, computing environment 103, or other components described herein, can each include at least one processing circuit. The processing circuit can include one or more processors and one or more storage devices that are coupled to a local interface. The local interface can include a data bus with an accompanying address/control bus or any other suitable bus structure. The one or more storage devices for a processing circuit can store data or components that are executable by the one or processors of the processing circuit. Also, a data store can be stored in the one or more storage devices.

The management service 116, day zero service 120 visitor application 148, and other components described herein can be embodied in the form of hardware, as software components that are executable by hardware, or as a combination of software and hardware. If embodied as hardware, the components described herein can be implemented as a circuit or state machine that employs any suitable hardware technology. The hardware technology can include one or more microprocessors, discrete logic circuits having logic gates for implementing various logic functions upon an application of one or more data signals, application specific integrated circuits (ASICs) having appropriate logic gates, programmable logic devices (e.g., field-programmable gate array (FPGAs), and complex programmable logic devices (CPLDs)).

Also, one or more or more of the components described herein that includes software or program instructions can be embodied in any non-transitory computer-readable medium for use by or in connection with an instruction execution system such as a processor in a computer system or other system. The computer-readable medium can contain, store, or maintain the software or program instructions for use by or in connection with the instruction execution system.

The computer-readable medium can include physical media, such as, magnetic, optical, semiconductor, or other suitable media. Examples of a suitable computer-readable media include, but are not limited to, solid-state drives, magnetic drives, flash memory. Further, any logic or component described herein can be implemented and structured in a variety of ways. One or more components described can be implemented as modules or components of a single application. Further, one or more components described herein can be executed in one computing device or by using multiple computing devices.

It is emphasized that the above-described examples of the present disclosure are merely examples of implementations to set forth for a clear understanding of the principles of the disclosure. Many variations and modifications can be made to the above-described examples without departing substantially from the spirit and principles of the disclosure. All of these modifications and variations are intended to be included herein within the scope of this disclosure. 

What is claimed is:
 1. A system for enabling user access to enterprise resources comprising: at least one computing device a processor and a memory; and an application executable by the at least one computing device, the application causing the at least one computing device to at least: detect a new employee record in a data store associated with a human resources system using an application programming interface (API) provided by the human resources system, the new employee record indicating that a new employee is being onboarded; create a record corresponding to the new employee in a directory service, the directory service being associated with an enterprise directory; place the record into an onboarding group within the directory service; synchronizing the record with an identity manager associated with the enterprise, the identity manager providing a single sign-on capability associated with the enterprise; and generating a one-time link that is unique to the record, the one-time link providing access to an application catalog comprising a plurality of applications, the plurality of applications being facilitating self-service onboarding of the employee.
 2. The system of claim 1, wherein the application generates a second one-time link that is different from the one-time link, the second one-time link providing access to the application catalog subsequent to the one-time link being used.
 3. The system of claim 1, wherein the one-time link points to a server associated with the identity manager, the server validating the one-time link and redirecting a client device accessing the one-time link to the application catalog.
 4. The system of claim 3, wherein the identity manager generates a user interface facilitating a password creation workflow for the new employee.
 5. The system of claim 3, wherein the identity manager generates a user interface facilitating a secondary authentication factor workflow for the new employee.
 6. The system of claim 1, wherein the one-time link points to a server associated with a management service, wherein a client device accessing the management service is enrolled as a managed device with the management service.
 7. The system of claim 6, wherein the client device is enrolled as a management device with the management service by downloading a management profile that is installed on the client device.
 8. A method comprising: obtaining a request to register a visitor; providing a registration link to a client device associated with the visitor, the registration link pointing to a visitor registration portal; obtaining visitor registration data associated with the visitor from the visitor portal; obtaining confirmation of the request to register the visitor; and generating an expiring link that is unique to the visitor, the expiring link comprising a link to a downloadable profile, the downloadable profile associated with a digital visitor badge, the digital visitor badge comprising a code that is verifiable by another device, the expiring link further providing access to at least one facility access credential for the visitor, wherein the downloadable profile and the at least one facility access credential are transmitted to a client device of the visitor.
 9. The method of claim 8, wherein the expiring link further directs a client device of the visitor to install an application that can obtain the downloadable profile or the at least one facility access credential.
 10. The method of claim 8, further comprising: generating a physical access control system (PACS) credential providing access to at least one PACS reader associated with a facility; and providing the PACS credential to the client device in response to the client device accessing the expiring link.
 11. The method of claim 8, wherein the physical access controller caches the virtual badge credential corresponding to the user account.
 12. The method of claim 8, further comprising disabling the expiring link in response to the client device accessing the expiring link.
 13. The method of claim 8, wherein the at least one facility access credential further comprises an enterprise network credential providing guest access to an enterprise network, wherein the enterprise network credential is downloadable as a network profile to the client device.
 14. The method of claim 8, wherein the expiring link further comprises a link to a page comprising a visitor information survey, wherein the visitor management application withholds the at least one facility credential or the digital visitor badge until successful completion of the visitor information survey.
 15. A non-transitory computer-readable medium comprising machine-readable instructions, wherein when executed by a processor of at least one computing device, the machine-readable instructions cause the at least one computing device to at least: obtain a request to register a visitor; provide a registration link to a client device associated with the visitor, the registration link pointing to a visitor registration portal; obtain visitor registration data associated with the visitor from the visitor portal; obtain confirmation of the request to register the visitor; and generate an expiring link that is unique to the visitor, the expiring link comprising a link to a downloadable profile, the downloadable profile associated with a digital visitor badge, the digital visitor badge comprising a code that is verifiable by another device, the expiring link further providing access to at least one facility access credential for the visitor, wherein the downloadable profile and the at least one facility access credential are transmitted to a client device of the visitor.
 16. The non-transitory computer-readable medium of claim 15, wherein the expiring link further directs a client device of the visitor to install an application that can obtain the downloadable profile or the at least one facility access credential.
 17. The non-transitory computer-readable medium of claim 15, wherein the machine readable instructions further cause the processor at least: generate a physical access control system (PACS) credential providing access to at least one PACS reader associated with a facility; and provide the PACS credential to the client device in response to the client device accessing the expiring link.
 18. The non-transitory computer-readable medium of claim 15, wherein the digital visitor badge comprises a quick response (QR) code that is downloadable to the client device.
 19. The non-transitory computer-readable medium of claim 15, wherein the at least one facility access credential further comprises an enterprise network credential providing guest access to an enterprise network, wherein the enterprise network credential is downloadable as a network profile to the client device.
 20. The non-transitory computer-readable medium of claim 15, wherein the expiring link further comprises a link to a page comprising a visitor information survey, wherein the visitor management application withholds the at least one facility credential or the digital visitor badge until successful completion of the visitor information survey. 